Some systems of access control, for example access control lists (ACLs) associated with a topic tree in a publish/subscribe system, allow for the creation of an access control mechanism which enables the policy at one node in the tree to be inherited by the descendant nodes. This avoids the need for explicit ACLs at every node of the tree.
For example, in a simple system where users have their access controlled for publish and/or subscribe operations, and the tree structure is built from the topic structure, each node has an associated list which contains (principal, access) pairs, where “principal” may be the user or group to whom the access control applies, and “access” describes the access control to be applied. In the publish/subscribe example, “access” includes a value for subscribe access and a value for publish access. These typically take one of the values “permit”, “deny”, or “inherit”, where “inherit” indicates that the policy in force for a user or group is inherited from a parent node. The absence of an explicit access control list entry for a principal is equivalent to all values set to “inherit”. Therefore, the inheritance model is for all descendants without an explicit access control list entry to inherit their access controls from the closest ancestor node which has a directly associated access control list. This is known as the sparse ACL model.
Systems implementing this inheritance model allow generalization of access control by allowing general, high-level rules to be set at a high level in the hierarchy, while allowing less general rules to be applied to sub-trees or leaf nodes within the hierarchy.
There are, however, some problems with this approach which are related to the following characteristics of the model:    1) The controls take effect at the node on which they are defined.    2) The controls always affect all descendant nodes which do not have overriding controls.
The limitation with 1) is that in a broad tree where nodes have many children, either the access control must be set on the parent of the children—allowing users access to the parent node—or access control must be set individually on each child.
The limitation with 2) is that in a tall tree, where it is only desirable for certain principals to use intermediate nodes, but where general rules apply to the leaf nodes, controls must be applied individually at the leaf nodes.
Despite these problems, the sparse ACL inheritance model described above has been widely used. U.S. Pat. No. 5,956,715 (and related U.S. Pat. Nos. 6,061,684 and 6,308,173) discloses inheritance of a node's ACLs by all descendants of that node, with each node automatically inheriting from the nearest ancestor which has a defined ACL. A user may choose to change ACLs on descendant nodes when changing ACLs on a parent, but the inheritance model remains the same—i.e. that all descendant nodes which do not have their own explicit ACL inherit from the closest ancestor which does have an explicit ACL.
U.S. Pat. No. 5,778,222 discloses a method and system for managing access to objects within an hierarchical structure, and an API is provided for managing changes to ACLs. The API includes user-selectable options including: an “absolute” ACL change operation in which a changed ACL overrides and replaces all previous ACLs defined for descendant directories of the hierarchy; a “union” operation in which a new ACL is OR'd with descendant directories; a “non-intrusive” ACL change operation in which ACLs are not added to any parent or children directories where the parent already has an ACL defined; and a delete operation for removing ACLs. While this provides flexibility and assistance for ACL change management, the default inheritance model remains for each node of the hierarchy to inherit from the closest ancestor having an explicit ACL entry.
U.S. Pat. No. 6,158,007 discloses use of ACLs in a publish/subscribe messaging environment, and discloses child subjects of a subject tree structure inheriting their security policy (and hence the ACL) of a parent subject. A default security policy may be assigned to subjects which do not have an explicit security policy associated with them, and this will also be inherited by descendants in the absence of an explicit security policy.
U.S. Pat. No. 5,701,458 discloses a system and method for managing access control lists in a data processing system with an hierarchical object structure which permits manipulation of an arbitrary set of ACLs and individual entries within an ACL. By permitting operation on the arbitrary set of ACLs rather than a resource tree, heterogeneous trees remain after the apply function. Nevertheless, the standard inheritance model, inheriting access controls from the nearest-ancestor having an explicit ACL, is implemented following the flexible manipulation.
U.S. Pat. No. 5,335,346 is another example patent which discloses objects inheriting access control policies from a parent objects, in the context of ACLs in an object oriented database.